Sitecore Developer Blog

Main menu

Post navigation

Sitecore compliance with GDPR- Part II

In my previous blog, I wrote about GDPR compliance at large. Let’s look more closely how should be done and how in Sitecore.

There are a lot of customization to do whatever which Sitecore version you are using. Starting starting with Sitecore 8.2 Update 7 Sitecore provides few useful tools. Since this version has been release few weeks before May 25th deadline you may implement all by you own.

Options:

Upgrade to Sitecore 9

Upgrade to Sitecore 8.2 Update 2 released April 26th

Customize current implementation

The right to be informed

… or being or being transparent about what you collect and how you use it (Article 12,12,4)

Sitecore 8
As a developer you can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore XP 8.x website, but you have no way of auditing a history of interactions

Sitecore 9
Yes, you or your developer can inform end-users about data you collect through a privacy policy, cookie banner, and/ or preferences page on a Sitecore XP 9.0 website, and can audit a history of interactions via the Sitecore xConnect™ API.

You have to store somewhere all information about client consent. to prove who, when and to what they consent to. Staring with Sitecore 8.2 update 7 you can use xDB to store this information, but it can be any safe place.

As a developer you can configure your Sitecore implementation to track your efforts to inform end-users about data you collect through your privacy policy. xDB can be configured to include a collection facet called Privacy Policy Acknowledgement. This collection has an audit trail of if and when a contact has acknowledged your privacy policy. The collection contains this:

Agreement Date – specifies the date that the contact they agreed to the latest privacy policy.

Policy Identifier – specifies the unique identifier for the policy. This can include version number.

The right of access

… or allowing individuals to see what personal data you’re processing and storing (Article 15)

Sitecore 8
No product feature support out of the box. Sitecore xDB stores a user’s interaction history within the database. As a developer, you can customize your Sitecore xDB to find and remove an individual’s data from the database.

Sitecore 9
Sitecore XP 9 has dedicated features for the right of erasure (or right to be forgotten). A contact’s personal data can be deleted through a Sitecore API call, “Execute Right To Be Forgotten.” This feature irreversibly removes the contact’s

The right to rectification

… or allowing individuals to have their personal data corrected (Article 16)

Sitecore 8
You’ll need to make changes to Sitecore (and any other systems) to edit / change / delete personal data on request. Personal information can be managed in User Security, List Management, and customized directly in MongoDB.

Sitecore 9
You need to make changes to Sitecore (and any other systems) to edit / change / delete personal data on request.Personal information can be managed in User Security, List Management, and customized directly through the Sitecore xConnect API (e.g., through a web form).

The right to erasure

… also known as the right to be forgotten (Article 17)

Sitecore 8
No product feature support out of the box. Sitecore xDB stores a user’s interaction history within the database. As a developer, you can customize your Sitecore xDB to find and remove an individual’s data from the database.

Sitecore 9
Sitecore XP 9 has dedicated features for the right of erasure (or right to be forgotten). A contact’s personal data can be deleted through a Sitecore API call, “Execute Right To Be Forgotten.” This feature irreversibly removes the contact’s

Anonymize Contact

Before Sitecore 8.2 Update 7 :By setting contact identifier to null and it identification level to none. Merge Contact after

Starting with Sitecore 8.2 Update 7 you can use the removeContactPiiSensitiveData pipeline to enable this right. It is up to you, as a developer, to decide where, when, and how to call this pipeline. You can use the pipeline as a background worker process, or in many other ways. Because it is not possible to remove all personal data from the system if a contact has an active session, once configured by you the pipeline locks the contact before it removes data to make sure that there are no active sessions for the contact.

The right to restrict processing

Sitecore 8
Sitecore XP 8 allows you to customize how much personal data you wish to process. Opt-in and opt-out is a customization.

Sitecore 9
Sitecore XP 9 allows you to customize how much personal data you wish to process. Opt-in and opt-out is a customization.

The right to data portability

… or giving individuals the personal data you have about them (Article 20)

Sitecore 8
No product feature support out of the box. Sitecore xDB stores a user’s interaction history is within the database. As a developer, you can customize your Sitecore xDB to find an individual’s data and extract it from the database.

Sitecore 9
Sitecore XP 9 ensures full interaction history is available and can be exported from the Sitecore xConnect API and provided to your end user in your chosen format.

Contact Repository

As a developer, you can choose to use the contact repository API to retrieve the full interaction history for the given contact